hngopher.com

       [HN Gopher] Towards native security defenses for the web ecosystem
       ___________________________________________________________________
        
       Towards native security defenses for the web ecosystem
        
       Author : edmorley
       Score  : 18 points
       Date   : 2020-07-22 21:04 UTC (1 hours ago)
        
 (HTM) web link (security.googleblog.com)
 (TXT) w3m dump (security.googleblog.com)
        
       | techntoke wrote:
       | If they would just use a container sandbox and
       | AppArmor/Seccomp/etc we wouldn't be stuck on this JavaScript
       | monster we've created that still allows companies to spy on every
       | mouse movement and track you around the web by default, but now
       | requires 100s of unvetted JavaScript modules and dependencies for
       | a framework to do the most simple tasks that should be included
       | by default in HTML.
        
         | The_rationalist wrote:
         | If they used such a sandboxing technology, could they bring
         | true support for other programming languages than js?
         | (webassembly has no seamless support of browser APIs and no
         | seamless js interop) I strongly think that bringing graalVM
         | polyglotism to browsers is one of the biggest breakthroughs
         | awaiting browsers this century! It would bring the pleasure and
         | expressiveness of modern programming languages, bring more
         | performance and bring an insanely big advantages, order of
         | magnitude too big for our homo sapiens brains to realize: bring
         | the other programming ecosystems such as the Java one, as such
         | bring hundreds of billions of dollars of existing human
         | resources AKA the best open source libraries in the world,
         | solving any niche problem at will.
        
           | techntoke wrote:
           | Yes, not only would it allow support for other programming
           | languages but it would be orders of magnitude faster than
           | JavaScript. I agree with pretty much everything you said.
        
       | ohazi wrote:
       | I'm conflicted.
       | 
       | On the one hand, this looks _way_ too complicated, and I predict
       | web devs are going to be confused and getting this stuff subtly
       | wrong for the next decade or more. CORS was bad enough, but this
       | looks worse.
       | 
       | On the other hand, processors are completely broken and I
       | genuinely don't see a better alternative.
        
         | arkadiyt wrote:
         | It doesn't seem so bad to me. Fetch Metadata will be handled by
         | your framework of choice (Rails, Django, etc) & COOP is a
         | single header that can be deployed by the security team in your
         | app or at the edge. TrustedTypes are the only thing that will
         | really cause developer headache I think.
        
       ___________________________________________________________________
       (page generated 2020-07-22 23:00 UTC)